This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
Hail backups, and whoever keeps those ports accessible to the outside
without a decent ACL in the firewall, or restricting it to (IPsec) VPN's
should be shot on sight anyways.
My $0.02, for people doing internal/private triage:
- If your use of IPv4 space is sparse by routes, dump your internal routing
table and convert to summarized CIDR.
- Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
randomizes targets, so destination office WAN links won't saturate, but
local/intermediate might if you're not careful, so tune):
sudo masscan -p445 --rate=[packets-per-second safe for your network]
-iL routes.list -oG masscan-445.out
- Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the
python2 one, or the Metasploit one if you can use that internally) to
detect vuln. the python one is not* a parallelized script, so consider
breaking it into multiple parallel runners if you have a lot of scale.
- If you're using SCCM/other, verify that MS17-010 was applied - but be
mindful of Windows-based appliances not centrally patched, etc. Trust but
verify.
- In parallel, consider investigating low-hanging fruit by OU
(workstations?) to disable SMBv1 entirely.
Royce
Thanks for the headsup but I would expect to see some references to the
patches that need to be installed to block the vulnerability (Sorry for
sounding like a jerk).
We all know to update systems ASAP.
MS17-010
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
Just a note folks that while this particular ransomware is using the
MS17-010 exploit to help spread, it does not rely on it. This is still a
regular piece of ransomware that if someone opens the malicious file, will
encrypt files.
SANS has some IoCs and more information:
https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
Kaspersky reckons the exploit applies to SMBv2 as well:
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in
-widespread-attacks-all-over-the-world/
I thought it was a typo in para 2 and the table, but they emailed back
saying nope, SMBv2 is (was) also broken. However, they also say (same
page) that the MS patch released in March this year fixes it.
Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
Regards, K.
The SMBv1 issue was disclosed a year or two ago and never patched.
Anyone who was paying attention would already have disabled SMBv1.
Thus is the danger and utter stupidity of "overloading" the function of service listeners with unassociated road-apples. Wait until the bad guys figure out that you can access the same "services" via a connection to the DNS port (UDP and TCP 53) on windows machines ...
Well it was patched by Microsoft of March 14th, just clearly people running large amounts of probably Windows XP have been owned.
Largely in Russia.
Nathan Brookfield
Chief Executive Officer
Simtronic Technologies Pty Ltd
http://www.simtronic.com.au
Well, this one was patched (or more accurately, undone). Perhaps. Maybe.
How many other "paid defects" do you estimate there are in Microsoft Windows waiting to be exploited when discovered (or disclosed) by someone other than the "Security Agency" buying the defect?
Almost certainly more than just this one ... and almost certainly there is more than a single "payor agency" independently purchasing the deliberate introduction of code defects.
One word. Linux.
After this we'll probably see (yet more) additional processes running on
windows boxes safe guarding against issues like this, forcing windoze users
to upgrade memory/processor/disk space. I, for one, am not looking at
Windoze 10 S as it locks too many applications needed for work to the
Windoze store.
Getting kind of ridiculous if you ask me.
-Joe
Not to mention of course that the version of Windows 10 that actually has all Microsoft's wonder-dunder-touted-all-and-fro security features is the one that most mere mortals cannot buy.
I wunder.
When there are these wunderful fluffings of the security of Windows 10, should one be suing Microsoft for not explicitly stating in the opening sentence that the features touted do not apply to any version of Windows that can be purchased at whim (ie, retail) and only applies to the "Enterprise" version which is *only* available with a minimum purchase quantity and the selling of the first (and second) born to Microsoft, and at that only after entering into a really nasty contract with Microsoft?
Or should one be suing all the "security fools and newsfrothers" that promulgate the story without specifying that the emperors "new secure clothing" is only available to "Enterprise" customers with special contracts to Microsoft and failing to warn that Microsoft has deliberately left everyone else "naked and unprotected"?
Or should one simply sue them all and let God (or a judge) sort it out?
I show MS17-010 as already superseded in SCCM
Or BSD, or anything but Windows. Anyone running Microsoft products
is quite clearly an unprofessional, unethical moron and fully deserves
all the pain they get -- including being sued into oblivion by their
customers and clients for their obvious incompetence and negligence.
---rsk
Tell you what. Go over to http://line6.com/software/ - You convince them to
produce a Linux version of the software for their musician's gear, and I'll get
rid of the Toshiba laptop running Windows. Alternatively, find me an OSX
laptop that costs anywhere near the $400 I paid for the Toshiba Satellite.
(And yes, I already tried running their software in a VM, neither VirtualBox
or VMWare does a good enough job of emulating MIDI-over-USB2 to let the drivers
in the VM connect to my Pod HD, so don't bother suggesting that).
You want to repeat your claim that I'm an unprofessional, unethical moron
because I have a fully patched Windows 10 laptop that's backed up on a regular
basis because there's no realistic alternative?
Or BSD, or anything but Windows. Anyone running Microsoft products
is quite clearly an unprofessional, unethical moron and fully deserves
all the pain they get -- including being sued into oblivion by their
customers and clients for their obvious incompetence and negligence.
aside from being grossly rude, hyperbolic, and uninteligent, this rant
ignores reality enough to make you a viable presidential candidate.
80% of desk/laptops run windows. get over it. windows is embedded in
many systems which will be hard to update in an hour or 100 hours. and
rude ranting is not doing one micron to help deal with it.
embedded systems are very hard to update, think special drivers, kinky
mods, ... aside from the long softdev time, how much time do you think
QA will take for moving a piece of medical equipment from xp to win10,
let alone bsd? and the state of the bsd update process is not something
to describe in polite company.
we have a vulnerable chain from weak software (which is improving, and
msoft has been in the lead there for a decade), to nsa/cia not
disclosing, to people choosing or having to run old versions (of
whatever (and linux/bsd are not immune) for financial or technical
reasons, to the conservative or lazy logistics of patching. we can try
to improve things at each link. but this is gonna be slow.
though this ransomware attack is not really that much larger than other
attacks in the past (and the future is not cheering), at least it has
reached the front pages and maybe people will patch more and vendors
will issue more/better updates. but, as @zeynep says, the lack of
liability along the chain above allows bad practices to continue.
in the meantime, backup, backup and take it offline so it does not get
encrypted for you, patch, turn off unnecessary services/options, rinse
repeat. and try to promote prudent use among friends, family, and
workplace.
randy
With that kind of attitude and disconnect from reality I wonder who is the unprofessional moron...
- Jorge (mobile)
You make some excellent points: but I grow very, very tired of having
to spend my time and my energy -- note timestamp on my message -- dealing
with the fallout. It should be painfully clear to everyone that there
is no such thing as a secure Windows system. [1] It should have been
painfully clear after Code Red, after the rise of bots, and after a
hundred other incidents before/since of varying severity and duration.
But apparently it's not and so despite the impact of this current one --
including large-scale disruption of healthcare in the UK -- this will keep
happening over and over again. And even those of us who have the good
judgment to never use Microsoft products have to pay the price for
the poor decision-making of others. Again. And again.
It's getting old. Just like all the other things that people do (many
of which have been discussed here at great length) that cause problems
for others who are making an earnest attempt to do things right.
How bad do things have to get before the people who are stubbornly
clinging to this finally let go? Does someone have to die? Because --
again, see healthcare provider impact in the UK -- we're not that
far from it.
---rsk
[1] There may be no such thing as a secure system, period. But it
would be better to deploy things that may have a fighting chance
instead of things that have long since proven to have none at all.
fyi, current opinion in the security community seems to be that win10 is
better secured than linuxes, bsds, ... see http://cyber-itl.org/; still
pretty sparse, but getting flushed out.
randy
Link?
I only posted it as reference to the vulnerability.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373